Dell PowerConnect W-Airwave Configuration Manual

Also see for PowerConnect W-Airwave: User guide User guide Manual Manual Quick start guide

Contents

AirWave Wireless Management Suite | Configuration Guide Aruba Configuration Reference | 141Security > User RolesA client is assigned a user role by one of several methods. A user role assigned by one method may takeprecedence over a user role assigned by a different method. The methods of assigning user roles are, fromlowest to highest precedence:1. The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP.2. The user role can be derived from user attributes upon the client’s association with an AP (this is knownas a user-derived role). You can configure rules that assign a user role to clients that match a certain setof criteria. For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has aMAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before clientauthentication.3. The user role can be the default user role configured for an authentication method, such as 802.1x orVPN. For each authentication method, you can configure a default role for clients who are successfullyauthenticated using that method.4. The user role can be derived from attributes returned by the authentication server and certain clientattributes (this is known as a server-derived role). If the client is authenticated via an authenticationserver, the user role for the client can be based on one or more attributes returned by the server duringauthentication, or on client attributes such as SSID (even if the attribute is not returned by the server).Server-derivation rules are executed after client authentication.5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS serverauthentication. A role derived from an Aruba VSA takes precedence over any other user roles.In the Aruba user-centric network, the user role of a wireless client determines its privileges, including thepriority that every type of traffic to or from the client receives in the wireless network. Thus, QoS for voiceapplications is configured when you configure firewall roles and policies.In an Aruba system, you can configure roles for clients that use mostly data traffic, such as laptop computers,and roles for clients that use mostly voice traffic, such as VoIP phones. Although there are different ways for aclient to derive a user role, in most cases the clients using data traffic will be assigned a role after they areauthenticated through a method such as 802.1x, VPN, or captive portal. The user role for VoIP phones can bederived from the OUI of their MAC addresses or the SSID to which they associate. This user role will typicallybe configured to have access allowed only for the voice protocol being used (for example, SIP or SVP).You must install the Policy Enforcement Firewall license in the controller.This page displays the current user roles in Aruba Configuration and where they are used. This pagecontains the columns described in Table 55:Table 55 Security > User Roles Page ContentsColumn DescriptionName Name of the user role.AAA Displays the AAA profile or profiles that are referenced by the user role. For additionalinformation, refer to “Profiles > AAA” on page 68.Captive Portal Auth Displays the Captive Portal Auth profiles, if any, that are referenced by the user role. Foradditional information, refer to “Profiles > AAA > Captive Portal Auth” on page 69.802.1X Auth Displays the 802.1X Auth profiles that are referenced by the user role. For additionalinformation, refer to “Profiles > AAA > 802.1x Auth” on page 75.Stateful 802.1X Auth Displays the Stateful 802.1X Auth profiles that are referenced by the user role. Foradditional information, refer to “Profiles > AAA > Stateful 802.1X Auth” on page 72.VPN Auth Displays the VPN Auth profiles that are referenced by the user role. For additionalinformation, refer to “Profiles > AAA > VPN Auth” on page 73.